This sample chapter from Cisco Secure Internet Security Solutions explains how dial-in users can be authenticated using the local database. As an example, the chapter includes a basic AAA configuration. Next, the chapter takes an in-depth look at the AAA authentication process using a TACACS+ server. Finally, the chapter explores how IPSec can be used to secure VPNs coming into the network through the Internet.

Sometimes security has more to do with politics and human resources issues
than with networking. The security administrator is constantly pulled between
needing to maintain a reasonable level of security and allowing users the
flexibility to get their work done. The administrator is faced with balancing
these two often-opposing needs. How can a balance be achieved? Security policies
should be looked at in the same manner as clothing. Clothing should not be so
tight that it restricts movement, but it still needs to cover that which should
not be revealed to the public. A suit that is too restrictive will soon be left
in the closet, along with a suit that is too big in the shoulders. Like a suit,
the art of building a security system must balance between being too loose and
too tight.

When thinking about securing the corporate network, keep in mind the three
main ways someone can try to gain access to the corporate network:

Through the Internet

Through dial-in access

Through Virtual Private Networks (VPNs)

Chapter 2, "Basic Cisco Router Security," and Chapter 5,
"Cisco IOS Firewall," discussed methods of protecting your network
from the Internet. Not covered in those chapters was how to protect your network
from dial-in access and VPNs coming in through the Internet. The security needs
of each of these access methods are discussed in this chapter.

Dial-In Security

The need to support dial-in users might prove to be the security
administrator's largest challenge. This is especially true if users are
allowed to dial in directly to their workstations or servers, bypassing all
other security methods.

Dial-in access can be through either the plain old telephone service (POTS)
or through an ISDN connection. Because ISDN connections are expensive, there are
generally fewer individuals who have an ISDN connection at their desk. However,
the price of telephone connections is so low that it is reasonable for
individuals to have dedicated connections at their desktop. The remainder of
this section deals with connections using the POTS.

Within some organizations, there are groups and individuals that insist that
the normal security precautions need to be bypassed because of special circumstances.
Sometimes those insisting on bypassing the security precautions are developers,
sometimes they are managers, and sometimes they are network engineers. In most
cases, the arguments as to why the security must be bypassed seem logical on
the surface. For example, the argument can be made that direct access of the
hardware is required for debugging purposes. Another common argument is that
a connection must be made for testing purposes without interference or delays
imposed by security methods. This scenario can be differentiated from one where
there is a central device on the network for dial-in access (such as a Cisco
access server or a single Windows NT RAS server) by the fact that there are
multiple entries into the network. A company with multiple dial-in connections
is shown in Figure 10-1.

Once the network starts to become open to remote access without proper
authorization, it can be very difficult for the administrator to regain control.
Although it is much easier to maintain control than to regain control, it is
still possible to move from an unsecured dial-in network to a fully secured
dial-in network.

Assume for a moment that you are the newly hired administrator for a 600-host
Windows NT network. You discover that there are approximately 50 users who
connect a modem to their desktop PC and routinely call into the network through
this connection for access to e-mail, network programs, and shared files. What,
exactly, is the problem with this scenario? Several things can be improved in
this scenario:

If the phone lines can be eliminated through consolidation, recurring
expenses in the form of unnecessary phone lines can be eliminated. Some phone
systems require that modems use a dedicated line. In this case, a separate line
must be purchased for use on each modem. Because all lines are not in use at
exactly the same time, the company needs to purchase more lines than are ever
used at one time. Building a modem pool allows the administrator to eliminate
some of these lines. The authors of this book were faced with exactly this
scenario and were able to remove a total of 24 dedicated lines by building a
modem pool, saving the company a good deal of money over the first
year.

Allowing users to access their computers directly through an uncontrolled
dial-up connection decentralizes security. It can become a nearly impossible
task to ensure any semblance of security when individual users are setting up
their own connections into the network. The user might set up the connection not
to require a password or might make the password so obvious that it is useless.
A single administrator would have an extremely difficult task of checking every
single connection on a regular basis for configuration issues such as encryption
and dial-back services.

In this example, the company relies solely on the built-in security
methods within the operating system of the desktop. Many operating systems were
not built with security as a primary concern. Even those operating systems that
claim to have strong security policies might be vulnerable, simply because they
are well known. There are also usually no built-in methods within the operating
system that allows the administrator to be notified if repeated attempts to
break into the network occur.

Unless the administrator has control over dial-in connections, the
administrator is unable to limit the areas of the network that a dial-in user
can access. Some companies might wish, for example, not to allow any
confidential information to be accessed through a dial-in connection. With a
large number of operating systems, a user dialing into a workstation has the
same rights as that workstation. There might not be provisions made to
differentiate the authority levels between a dial-in account and a local user.
This means that there is no way to enforce the company's wish that
sensitive information be available only through the local network.

For these reasons, the administrator is strongly urged to move toward a centralized
dial-in point where appropriate controls can be used. The fact that all users
enter at a single point simplifies all administrative efforts, including security.
A diagram of a network using a single point of access through an access server
and modem bank is shown in Figure
10-2.